Year: 2014 (Page 2 of 4)

Earlier this month Microsoft announced that its Office 365 subscribers would be able to upload an unlimited amount of data into Microsoft’s cloud-based infrastructure. Microsoft notes that the unlimited data storage capacity is:

just one small part of our broader promise to deliver a single experience across work and life that helps people store, sync, share, and collaborate on all the files that are important to them, all while meeting the security and compliance needs of even the most stringent organizations.

Previously, subscribers could store up to 1TB of data in OneDrive. The new, unlimited storage model, creates new potential uses of the Microsoft cloud including even “wholesale backup of their computer hard drives, or even of their local backup drives”. And, given OneDrive’s integration with contemporary Windows operating systems there is the opportunity for individuals to expand what they store to the Cloud so it can be accessed on other devices.

While the expanded storage space may be useful to some individuals and organizations, it’s important to question Microsoft’s assertion that OneDrive meets the most stringent organization’s security and compliance needs. One reason to question these assertions arise out of a memo that was disclosed by National Security Agency (NSA) whistleblower Edward Snowden. The memo revealed that:

access to large portions of Internet traffic that moves through American servers;

disclosure of collected information to other parties (e.g. the Drug Enforcement Agency);

European policy analysts agree that Section 702 is overly permissive(.pdf) and argue that the definitions used in the section are so general that “any data of assistance to US foreign policy is eligible, including expressly political surveillance over ordinary lawful democratic activities.” The scope of surveillance was made worse as a result of the FISA Amendments Act 2008. While the FAA 2008 is perhaps best known for providing legal immunity to companies which participated in the warrantless wiretapping scandal, it also expanded the scope of NSA surveillance. Specifically:

[b]y introducing “remote computing services” (a term defined in ECPA 1986 dealing with law enforcement access to stored communications), the scope was dramatically widened communications and telephony to include Cloud computing (.pdf source).

Microsoft’s expansion of OneDrive storage limits is meant to enhance its existing consumer cloud offerings. And such cloud storage can produce workplace efficiencies by simplifying access to documents, protecting against device loss, and externalizing some security-related challenges.

However, if subscribers take advantage of the new unlimited storage and send ever-increasing amounts of data into Microsoft’s cloud, then there will be a much greater amount of information that is readily available to the NSA (and other allied SIGINT agencies). And given that Section 702 authorizes surveillance of foreign political activities there is a real likelihood that data content which was previously more challenging for NSA to access will now be more readily available to interception and analysis.

Signals intelligence agencies, such as the NSA, are likely not top of mind threats to individuals around the world. However, Microsoft’s willingness to manufacture government access to personal and business data should give people pause before they generate sensitive documents, share or store intimate photos, or otherwise place important data in Microsoft’s cloud infrastructure. Any company so willing to engineer its users’ privacy out of personal and enterprise services alike must be treated with a degree of suspicion and its product announcement and security assurances with extremely high levels of skepticism.

On April 10, 2014, Blackberry’s enterprise chief publicly stated that his company had no intention of releasing transparency reports concerning how often, and under what terms, the company has disclosed Blackberry users’ personal information to government agencies. BlackBerry’s lack of transparency stands in direct contrast to its competitors: Google began releasing transparency reports in 2009, and Apple and Microsoft in 2013. And BlackBerry’s competitors are rigorously competing on personal privacy as well, with Apple recently redesigning their operating system to render the company unable to decrypt iDevices for government agencies and having previously limited its ability to decrypt iMessage communications. Google will soon be following Apple’s lead.

So, while Blackberry’s competitors are making government access to telecommunications data transparent to consumers and working to enhance their users’ privacy, BlackBerry remains tight-lipped about how it collaborates with government agencies. And as BlackBerry attempts to re-assert itself in the enterprise market — and largely cede the consumer market to its competitors — it is unclear how it can alleviate business customers’ worries about governments accessing BlackBerry-transited business information. Barring the exceptional situation where data from BlackBerry’s network is introduced as evidence in a court process businesses have no real insight of the extent to which Blackberry is compelled to act against its users’ interests by disclosing information to government agencies. And given that the company both owns an underlying patent for, and integrated into its devices’ VPN client, a cryptographic algorithm believed vulnerable to surreptitious government spying it’s not enough to simply refuse to comment on why, and the extent to which, BlackBerry is compelled to help governments spy on its customer base.

We know that BlackBerry has been legally and politically bludgeoned into developing, implementing, and providing training courses on intercepting and censoring communications sent over its network. At the same time, we know that many employees at BlackBerry genuinely care about developing secure products and delivering them to the world; reliable, secure, and productive communications products are ostensibly the lifeblood that keeps the company afloat. So why, knowing what we know about the company’s ethos and the surveillance compulsions it has faced in the past, is it so unwilling to be honest with its current and prospective enterprise customers and develop transparency reports: for fear that customers would flee the company upon realizing the extent to which BlackBerry communications are accessed or monitored by governments, because of gag-orders they’ve agreed to in order to sell products in less-democratic nations, or just because they hold their customers is contempt?

The significance of Edward Snowden’s disclosures is an oft-debated point; how important is the information that he released? And, equally important, what have been the implications of his revelations? Simon Davies, in association with the Institute of Information Law of the University of Amsterdam and Law, Science, Technology & Social Studies at the Vrie Universiteit of Brussels, has collaborated with international experts to respond to the second question in a report titled A Crisis of Accountability: A global analysis of the impact of the Snowden revelations.

In what follows, I first provide a narrative version of the report’s executive summary. The findings are sobering: while there has been a great deal of international activity following Snowden’s revelations, the tangible outcomes of that activity has been globally negligible. I then provide the text of the Canadian section of the report, which was drafted by Tamir Israel, myself, and Micheal Vonn. I conclude by providing both an embedded and downloadable version of the report.

Lawful access legislation was recently (re)tabled by the Government of Canada in November 2013. This class of legislation enhances investigative and intelligence-gathering powers, typically by extending search and seizure provisions, communications interception capabilities, and subscriber data disclosure powers. The current proposed iteration of the Canadian legislation would offer tools to combat inappropriate disclosure of intimate images as well as extend more general lawful access provisions. One of the little-discussed elements of the legislation is that it will empower government authorities to covertly install, activate, monitor, and remove software designed to track Canadians’ location and ‘transmission data.’

In this post I begin by briefly discussing this class of government-used malicious surveillance software, which I refer to as ‘govware’. Next, I outline how Bill C–13 would authorize the use of govware. I conclude by raising questions about whether this legislation will lead government agencies to compete with one another, with some agencies finding and using security vulnerabilities, and others finding and fixing the vulnerabilities such tools rely. I also argue that a fulsome debate must be had about govware based on how it can broadly threaten Canadians’ digital security. Continue reading

Parsons, Christopher. (2015). “Stuck on the Agenda: Drawing lessons from the stagnation of ‘lawful access’ legislation in Canada,” Michael Geist (ed.), Law, Privacy and Surveillance in Canada in the Post-Snowden Era (Ottawa University Press).

Parsons, Christopher. (2015). “Beyond the ATIP: New methods for interrogating state surveillance,” in Jamie Brownlee and Kevin Walby (Eds.), Access to Information and Social Justice (Arbeiter Ring Publishing).

Bennett, Colin, and Parsons, Christopher. (2013). “Privacy and Surveillance: The Multi-Disciplinary Literature on the Capture, Use, and Disclosure of Personal information in Cyberspace” in W. Dutton (Ed.), Oxford Handbook of Internet Studies.

McPhail, Brenda; Parsons, Christopher; Ferenbok, Joseph; Smith, Karen; and Clement, Andrew. (2013). “Identifying Canadians at the Border: ePassports and the 9/11 legacy,” in Canadian Journal of Law and Society 27(3).

Parsons, Christopher; Savirimuthu, Joseph; Wipond, Rob; McArthur, Kevin. (2012). “ANPR: Code and Rhetorics of Compliance,” in European Journal of Law and Technology 3(3).